SQM-Advisors, LLC

FAQ

Question: What really changed when ISO/IEC 17799:2005 was renamed
ISO/IEC 27002:2005?
Answer: Nothing other than the name. This was a planned renaming to
align with the 27000 series of standards. No other changes were made to
the standard.

Question: What is ISO/IEC 27001?
Answer: ISO/IEC 27001:2005 (formally BS 7799-2:2005) was released
on October 15, 2005 and is the new international standard that provides
a requirements specification for an Information Security Management
System (ISMS) and the foundation for third-party audit and certification.
The standard is complementary to the new standard ISO/IEC 17799:2005
(formally ISO 17799:2000). The basic objective of the standard is to help
establish and maintain an effective information management system,
using a continual improvement approach. It implements a PDCA, Plan-
Do-Check-Act process when establishing an ISMS.

Question: Is ISO/IEC 27001 “harmonized” with the other ISO Management
 systems?
Answer: The standard provides a specification for ISMS and the foundation
 for third-party audit and certification. It is harmonized to work with other
management system standards such as ISO 9001 and ISO 14001 and will
assist in the integration and operation of an organization’s overall
management system. It implements the Plan-Do-Check-Act (PDCA) model.

Question: What does ISO/IEC 27001 mean for IT security officers?
Answer: ISO/IEC 27001 should be used to guide the implementation of
security policy and procedures in alignment with recognized best practices.
Compliance to the standard will reassure customers and suppliers that
information security is a senior management priority and a systematic
process has been implemented to address information security risks.

Question: What are some of the benefits of 27001 certification?
Answer: The benefits of certification are numerous and iclude:
*Policies & procedures will be in accordance with internationally recognized
criteria, structure and methodology *Assured continued due diligence to
maintain certification through bi-annual surveillance visits
*Evaluations will be conducted by qualified, impartial and monitored
assessors using an accredited methodology (Certified Bodies)
*Your ISMS will be audited to a internationally harmonized criteria resulting
 in mutual recognition of the evaluation results
*Certifiable, Proven, Defensible, Cost-Effective, Recognition of Best Practices
 in information security *Assists organizational compliance with legal, regulatory,
and statutory requirements including HIPAA, Gramm-Leach-Bliley (GLBA),
Sarbanes-Oxley, California SB1386, CFR21:Part 11, EU-Directive etc...
*Provides market differentiation due to positive influence on company image,
prestige and external goodwill and value of the company
*Demonstrates credibility and trust – satisfaction and confidence of stakeholders,
partners, citizens and customers
*Reduced liability risk; demonstrates due diligence; lower rates on cyber-
insurance premiums
*Increase in overall organizational efficiency
*Minimizes internal and external risks to business continuity
*An ISMS provides your organization with a security & privacy “Umbrella”, a Holistic,
quality-based security and privacy posture supporting Corporate Governance
*ISO 27001 certification is recognized worldwide as a security and privacy differentiator
*Ensures that a commitment to security and privacy exists at all levels and that all
employees are educated on security and privacy
*Reduces operational risk; vulnerabilities are mitigated
*Provides your organization with continuous protection that allows for a flexible,
effective, and defensible approach to security and privacy

Question: What if my organization is already ISO 9001 certified?
Answer: If you are already 9001 certified you have an excellent head start towards
27001 certification. Many of the elements of 9001 certification are required by 27001.
There should be no need to duplicate these systems. If you are advised to create a
separate or redundant management system, STOP and call SQM-Advisors. The two
standards have been designed to compliment each other not compete.